TDR and Norton Security

Deployment Overview

Threat Detection and Response (TDR) is a collection of advanced malware defense tools that correlate threat indicators from Fireboxes and Host Sensors to enable real-time, automated response to stop known, unknown, and evasive threats.

As part of the TDR solution, you install TDR Host Sensors to provide endpoint protection. In some cases, the TDR Host Sensor might have conflicts with the antivirus software installed on your endpoints. To resolve this issue, you can configure exclusions in the antivirus software and in TDR.

This document describes the steps to deploy a TDR Host Sensor on a host that runs Norton Security software. It does not describe all steps necessary to set up your Threat Detection and Response account. Before you begin, make sure to set up your TDR account and enable TDR on the Firebox. For information about how to set up your TDR account, TDR deployment best practices, and how to enable TDR on a Firebox, see Quick Start — Set Up Threat Detection and Response.

Configuration Summary

To avoid conflicts between the TDR Host Sensor and Norton Security, add these exclusions:

  • Exclusions in TDR for Norton Security— For Windows:
    • C:\ProgramData\Norton\
    • C:\Program Files(x86)\Norton Security Scan\
    • C:\Program Files\Norton Security\
  • Exclusions in TDR for Norton Security— For Mac:
    • /Application/Norton Security/
  • Exclusions in Norton Security for the TDR Host Sensor — For Windows:
    • 64-bit Windows — C:\Program Files(x86)\WatchGuard\Threat and Response\amd64\host_sensor.exe
    • 64-bit Windows — C:\Program Files(x86)\WatchGuard\Threat and Response\amd64\TDRSensorStatus.exe
    • 32-bit Windows — C:\Program Files\WatchGuard\Threat and Response\amd64\host_sensor.exe
    • 32-bit Windows — C:\Program Files\WatchGuard\Threat and Response\amd64\TDRSensorStatus.exe
  • Exclusions in Norton Security for TDR — For Mac:
    • /usr/local/watchguard/tdr/amd64/host_sensor

If the Host Sensor and Norton Security detect and respond to a threat at the same time, this can cause high utilization of system resources such as CPU, Memory and Disk I/O.

Configuration Details

To complete this deployment, you must have:

  • An active Threat Detection and Response subscription with Host Sensor licenses
  • Norton Security
    • Norton Security — Windows
    • Norton Security 7.8 — Mac

The TDR and Fireware versions tested for this deployment included:

  • TDR Host Sensor
  • Firebox with Fireware v12.0 or higher

The Windows test environment for this deployment included:

  • Windows 7, 8.1, 10 Enterprise 64-bit Operating System
  • Memory (RAM) — 8 GB
  • Processor — 2 CPU Cores

The Mac test environment for this deployment included:

  • macOS 10.13
  • Memory (RAM) — 8 GB
  • Processor — Intel Core i5

Configure Exclusions in TDR

In your TDR account, add the exclusions to manually identify paths for files and processes that you do not want Host Sensors to monitor. Before you deploy a Host Sensor on computers that have Norton Security installed, Add exclusions for the Norton Security file paths as TDR Exclusions in your TDR account.

In your TDR account, add the TDR exclusions for the paths shown in the Integration Summary.

Unless otherwise noted, configure each TDR exclusion with these options, which are selected by default:

  • Also exclude subfolders
  • Entities to exclude: Files and Processes

To add an exclusion in TDR:

  1. Log in to your TDR account or managed account as a user with Operator privileges.
  2. Select Configuration > Exclusion.
  3. Click Add Exclusion.
    The Add Exclusion dialog box appears.
  4. In the Path text box, type the path to exclude. Folders specified in an exclusion must end with a backslash.
  5. To apply the exception to all hosts, in the Hosts / Groups text box, specify the group All Hosts.
  6. Click Save & Close.

Repeat these steps to add each exclusion.

Configure Exclusions in Norton Security

To exclude directories used by the TDR Host Sensor, add the exclusions for the paths listed in the Integration Summary.

To add an exclusion in Norton Security for Windows:

  1. Click Setting.
    The Setting page appears.
  2. Click Firewall.
    A list of options appears.
  3. Select Program Control page.
  4. Click Add.
  5. Select add file, click OK
  6. Select Allow always in Options,click OK
  7. Click Apply.

To add an exclusion in Norton Security for Mac:

Note: this config will be used when enable Application Blocking in Firewall.which is disable in default

While TDR is running and Application Blocking in Firewall is enable. there will be a pop up window of Norton Security notice user that application host_sensor attempt to connect to internet. click Allow

For information about the integration testing methods, see TDR Testing Methodology.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search